Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers
Published:
Browse All Articles > Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers
Brief Introduction of Dcdiag in Windows Server 2008 and Windows Server 2008 R2 servers:
Dcdiag allows you to test your Domain Controllers state of functionality within your domain environment for troubleshooting and health check procedures. The Dcdiag tool is a command line tool that is run from the command line and outputs data from the Dcdiag tests to the command prompt. You can add parameters to the Dcdiag command line which allows you to add syntax to these parameters for deeper troubleshooting of domain functionality. Now Dcdiag is built-in the above versions unlike in prior versions you would have to install Dcdiag from the support tools.
Common test that you might see "Fail" in a Dcdiag:
When you run a dcdiag on Windows 2008 servers you might see the below error that seems like you have major problems with your Domain but actually this error doesn't impact you in any type of way unless you plan to use Read-Only Domain Controllers (RODC).
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=DOMAIN,DC=COM
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=DOMAIN,DC=COM
......................... Domain.com-DC1 failed test NCSecDesc
The error actual states you have failed a part of the dcdiag test but really the failed part of the test is only for Read-Only Domain Controllers (RODC) use. RODC is a new feature in Windows 2008 Server which requires Domain Schema prep by using the adprep or adprep32 with the switch /rodcprep.
Now if you haven't run the /rodcprep you will get the failed portion of the dcdiag every time you run a dcdiag. There is not a way currently to bypass this part of the dcdiag test either so you can deal with the failed portions of the dcdiag which many Admins including myself do or you can run the /rodcprep which will add the appropriate security descriptors to the naming heads.
If you don't plan using RODCs you can safely ignore this error in your dcdiag.
Additional information on this error:
http://support.microsoft.com/kb/967482
Dcdiag allows you to test your Domain Controllers state of functionality within your domain environment for troubleshooting and health check procedures. The Dcdiag tool is a command line tool that is run from the command line and outputs data from the Dcdiag tests to the command prompt. You can add parameters to the Dcdiag command line which allows you to add syntax to these parameters for deeper troubleshooting of domain functionality. Now Dcdiag is built-in the above versions unlike in prior versions you would have to install Dcdiag from the support tools.
Common test that you might see "Fail" in a Dcdiag:
When you run a dcdiag on Windows 2008 servers you might see the below error that seems like you have major problems with your Domain but actually this error doesn't impact you in any type of way unless you plan to use Read-Only Domain Controllers (RODC).
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=DOMAI
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=DOMAI
......................... Domain.com-DC1 failed test NCSecDesc
The error actual states you have failed a part of the dcdiag test but really the failed part of the test is only for Read-Only Domain Controllers (RODC) use. RODC is a new feature in Windows 2008 Server which requires Domain Schema prep by using the adprep or adprep32 with the switch /rodcprep.
Now if you haven't run the /rodcprep you will get the failed portion of the dcdiag every time you run a dcdiag. There is not a way currently to bypass this part of the dcdiag test either so you can deal with the failed portions of the dcdiag which many Admins including myself do or you can run the /rodcprep which will add the appropriate security descriptors to the naming heads.
If you don't plan using RODCs you can safely ignore this error in your dcdiag.
Additional information on this error:
http://support.microsoft.com/kb/967482
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)